WhatsApp’s security team issued an internal warning in March, highlighting a severe threat government surveillance poses despite the app’s encryption. The team also warned that while the content of the conversations among WhatsApp’s two billion users remains secure, government agencies circumvent this encryption to gather metadata such as information about who communicates with whom, membership of private groups, and user locations.
First reported by The Intercept, the surveillance method in question is known as ‘traffic analysis,’ a network-monitoring technique that has been in use for decades. It involves scrutinising internet traffic on a national scale to draw inferences about communication patterns. The assessment emphasised that WhatsApp is not the only messaging platform vulnerable to this technique.
However, it underscored the urgency for Meta, WhatsApp’s parent company, to decide whether to prioritise the functionality of its chat app or the safety of its most vulnerable users.
“WhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities that make it possible for nation states to determine who is talking to whom,” the assessment urged. “Our at-risk users need robust and viable protections against traffic analysis.”
The release of the threat assessment comes amidst the ongoing conflict in Gaza, raising alarming possibilities among some Meta employees. They speculated that Israel might exploit this vulnerability as part of its surveillance program targeting Palestinians. Digital surveillance has increasingly played a role in military operations, with metadata being crucial in identifying targets.
“WhatsApp has no backdoors, and we have no evidence of vulnerabilities in how WhatsApp works,” said Meta spokesperson Christina LoNigro.
Despite the assessment describing the vulnerabilities as ‘ongoing’ and specifically mentioning WhatsApp 17 times, LoNigro stated that the document is theoretical and does not reflect a specific vulnerability in WhatsApp.
The assessment clearly says that even after assuming WhatsApp’s encryption to be unbreakable, the ongoing “collect and correlate” attacks would be detrimental to the platform’s privacy model. This system is akin to observing a mail carrier ferrying sealed envelopes, revealing who is communicating without revealing the content of the conversations.
Although the threat assessment does not cite specific instances where state actors have deployed this method, it references extensive reporting by The New York Times and Amnesty International on how governments globally use similar techniques to spy on encrypted chat app usage, including WhatsApp.
Earlier, it was reported that Israel has already been using a system known as Lavendar that automatically rates Palestinians in Gaza for assassination based on various data points, including WhatsApp usage.
Following the Lavendar expose, a wider swath of Meta staff became aware of the March WhatsApp threat assessment. They also expressed concerns that this vulnerability could feed into Israel’s military targeting systems.
Meta employees worried that WhatsApp could contribute to lethal surveillance, which was organised under the campaign Metamates 4 Ceasefire. This group has published an open letter signed by over 80 staff members, calling for an end to internal censorship and greater transparency. However, the Meta spokesperson denied any censorship charges.
The threat assessment highlights the difficulty of mitigating traffic analysis vulnerabilities without compromising WhatsApp’s performance. Techniques such as adding artificial delays to messages or transmitting decoy data could degree user experience or increase mobile data costs. This presents a challenging tradeoff between security and usability.
WhatsApp’s security team advocates for a collective effort to protect at-risk users, possibly by adopting a security mode similar to Apple’s ‘Lockdown Mode‘ for iOS. However, this approach could inadvertently signal to adversaries that users are trying to hide their activities, increasing their risk.
Currently, Meta faces a significant dilemma: enhancing security for vulnerable users while maintaining WhatsApp’s mass appeal and performance. The company’s response to this threat will determine its ability to balance user privacy with its business objectives, highlighting the tension between market dominance and user safety.
In the News: News Corp partners with OpenAI to provide content for AI training